SANS Institute has released the SANS 2023 Security Awareness Report, 'Managing Human Risk’. Rooted in the experiences of nearly 2,000 participants from 80 countries, the report underscores the escalating stakes in human cyber risks.
"The digital world is expanding rapidly, and with it, the human element of cyber security becomes ever more important as it evolves as a primary target for cyber threats globally," says Lance Spitzner, SANS Security Awareness Director and co-author of the report. "The report serves as a compass, guiding organizations not just to understand but proactively manage human cyber risks. By unifying data from thousands of participants globally, we've uncovered patterns and practical approaches that can empower organizations to transform their human risk landscapes."
The report provides an in-depth analysis and actionable steps for security professionals to mature their awareness programs, advance their careers, and benchmark their programs globally using the Security Awareness Maturity Model. Notably, the study found that mature security programs, marked by robust teams and leadership support, are characterized by having at least three full-time employees in their security awareness teams.
Key points in Managing Human Risk include:
Top human risks: the primary threats include phishing, vishing, and smishing attacks; password / authentication risks mitigated by advanced tools; the challenge of fostering a security culture for effective detection / reporting; and the risk of IT admin misconfigurations, especially in complex cloud environments.
Leadership perspective: as in previous years, security awareness remains predominantly considered a part-time commitment within organizations. A noteworthy 70 percent of security awareness practitioners disclosed that they dedicate half or less of their working time to it this year. This insight underscores the ongoing challenge of elevating the importance of continuous cyber security awareness in the day-to-day operations of organizations.
Talk in terms of risk: leadership and security teams often perceive security awareness as not part of security, but rather as a compliance effort that has little relevance to managing risk. To help change such perceptions, focus on and speak in terms of human risk management. Human risk is far more likely to align with most organizations' strategic security priorities, gain leadership buy-in, and resonate with a security team. Help your security team members understand how you help them, and work with them to identify the top human risks and the key behaviors that manage those risks. Demonstrate how effective communications, training, and engagement is changing those key behaviors and reducing human risk. Partner with Security Operations Center, Incident Response and Cyber Threat Intelligence Teams not only to learn their work but also to show them how you can help solve their human-risk-related challenges.
Leadership support: dedicate two to four hours a month to collecting metrics about the impact and value of your security awareness program and communicating that value to leadership. This information can include informal metrics, established key performance indicators, and even success stories to enable leadership to better understand and regularly see the value that your program is providing.
Team size: while technical security has been a focal point for organizations, the human side of security has often been overlooked. This imbalance leaves the workforce as an appealing target for cyber attacks. It's not uncommon to find a 50-member security team with 49 focusing on technology, leaving just one person to manage human risk. This underinvestment in human-focused security contributes to the prominence of human cyber risks. The report recommends a starting point of a 10-to-1 ratio of technical to human-focused security professionals, to begin bridging this gap.